Secret key transfer method which is highly secure and can restrict the damage caused when the secret key is leaked or decoded

ABSTRACT

A transmission apparatus 100 includes a secret key storage unit 103 that stores three secret keys K1, K2 and K3, a secret key selection unit 104 that selects one secret key Ks from the secret keys, a message generation unit 106 for generating a message M used as a carrier for indicating a secret key, an encryption module 105 for generating a cryptogram Ca by encrypting the generated message M using the secret key Ks, an encryption module 107 for generating a cryptogram Cm by encrypting the message M using the message M itself as the secret key, and two transmission units 111 and 112 for transmitting the cryptograms Ca and Cm to the reception apparatus 200 to indicate the selected secret key Ks. The reception apparatus 200 includes a decryption module, such as 221, for generating decrypted data Mi by decrypting the cryptogram Ca using a secret key Ki out of the three secret keys, and a decryption module, such as 222, for generating decrypted data Mii by decrypting the cryptogram Cm using the decrypted data Mi, and authorizes that the secret key Ki has been selected when the decrypted data Mi matches the decrypted data Mii.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to a transfer method for secret keys to beused in encrypted communication, and especially relates to a techniquefor specifying one out of a plurality of distributed secret keys that isto be used in encrypted communication.

2. Description of the Prior Art

In recent years, secret key encrypted communication systems have beendeveloped which encrypt data for using a secret key and transmit theencrypted data using a transfer medium or record the encrypted data ontoa recording medium for later reproduction. In such systems, thetransmission apparatus and the reception apparatus respectively performencryption and decryption using a shared secret key which has beenprovided to both apparatuses beforehand.

When both the transmission apparatus and the reception apparatus areprovided with a plurality of secret keys, it is necessary to specify oneof these secret keys before encrypted communication is commenced so thatboth apparatuses will use the correct key. This is performed to ensurethat the reception apparatus will be able to decrypt the cryptogramstransmitted by the transmission apparatus.

In conventional encrypted communication systems, however, should thesecret key be obtained by an unauthorized third party, it will benecessary to replace the secret key with a new secret key in all of thecommunication devices which previously used this secret key. When thesecret key is permanently stored in the components of the communicationapparatuses, such as in a ROM (Read Only Memory), or when the secret keywas used by a large number of communication apparatuses, this means thata great deal of work needs to be performed to establish the new key.

SUMMARY OF THE INVENTION

The present invention has been conceived in view of the stated problemsand has a first object of providing a secret key transfer technique thatprevents third parties from decoding the secret key, and allows secretkey encrypted communication to be continued without having to provide anew secret key, even when one of the secret keys has been leaked ordecoded.

The stated object can be achieved by a secret key transfer method thatis used in a communication system composed of a transmission apparatusand a reception apparatus, where the transmission apparatus selects onesecret key Ks out of a plurality of secret keys that are providedbeforehand, and transfers an indication of the selected secret key Ks tothe reception apparatus. The transmission apparatus includes a secretkey storage unit that stores a plurality of secret keys K1-Kn, a secretkey selecting unit that selects one out of the plurality of secret keysK1-Kn, a message generation unit that generates a message used as acarrier for transferring the secret key Ks, a first encrypting unit forgenerating a cryptogram Ca by encrypting the message using the selectedsecret key Ks, a second encrypting unit for generating a cryptogram Cmby encrypting the message using the message itself as the encryptionkey, and a transferring unit for transmitting the cryptograms Ca and Cmto the reception apparatus to transfer the secret key Ks. The receptionapparatus includes a first decrypting unit for decrypting the cryptogramCa using each secret key Ki successively selected out of the pluralityof secret keys K1-Kn to generate the decrypted data Mi, a seconddecrypting unit for decrypting the cryptogram Cm using the decrypteddata Mi as the decryption key to generate the decrypted data Mii, and ajudging unit for judging whether the decrypted data Mi matches thedecrypted data Mii. When the decrypted data Mi matches the decrypteddata Mii for one of the secret keys Ki, the reception apparatusauthorizes this secret key Ki as the secret key Ks transferred from thetransmission apparatus.

The reception apparatus utilizes the predetermined rule for thecryptogram Cm, which is to say that the cryptogram Cm is generated byencrypting the plaintext M using the same plaintext M as the encryptionkey, as the basis for its judgement, and so is able to specify thesecret key Ks and the message M transferred by the transmissionapparatus.

Although secret key Ks selected by the transmission apparatus out of thesecret keys K1-Kn is transmitted to the reception apparatus in aconcealed state whereby it cannot be directly known, the receptionapparatus still is able to specify the same secret key Ks, making thepresent secret key transfer technique safe from attempts by thirdparties to obtain the secret key.

The present secret key transfer technique is also such that should oneof the secret keys be leaked or decoded, the transmission apparatus canbe simply made to select a different secret key out of the plurality ofsecret keys, meaning the secret key encrypted communication can becontinued without having to provide a new secret key to bothapparatuses.

Here, before transmitting the cryptograms Ca and Cm, the transmissionapparatus may investigate whether the cryptograms Ca and Cm are suitablecryptograms which ensure that the correct secret key Ks can be specifiedby the reception apparatus.

In more detail, the transmission apparatus may further include a firstdecrypting unit for generating decrypted data Ma by decrypting thecryptogram Ca using a secret key Kj selected one at a time from thesecret keys which were not selected by the secret key selecting unit, asecond encrypting control unit for having the second encrypting unitgenerate the cryptogram Cmm by encrypting the decrypted data Ma usingthe decrypted data Ma itself as the encryption key, and a gate unit andcomparing unit for only allowing the transmission of the cryptograms Caand Cm when the cryptogram Cmm does not match the cryptogram Cm for allof the secret keys Kj.

Alternatively, the transmission apparatus may further include a firstdecrypting unit for generating decrypted data Ma by decrypting thecryptogram Ca using a secret key Kj selected one at a time from thesecret keys which were not selected by the secret key selecting unit, asecond decrypting unit for generating decrypted data Mm by decryptingthe cryptogram Cm using the decrypted data Ma as the decryption key, anda gate unit and comparing unit for only allowing the transmission of thecryptograms Ca and Cm when the decrypted data Ma does not match thedecrypted data Mm for all of the secret keys Kj.

As a result, the problems that can occur due to the second encryptionunit encrypting the message M with the same message M as the encryptionkey, which is to say the reception apparatus mistakenly authorizing asecret key Kj that differs from the secret key Ks selected by thetransmission apparatus, can be avoided.

BRIEF DESCRIPTION OF THE INVENTION

These and other objects, advantages and features of the invention willbecome apparent from the following description thereof taken inconjunction with the accompanying drawings which illustrate a specificembodiment of the invention. In the drawings:

FIG. 1 is a block diagram showing the construction of the encryptedcommunication system of the first embodiment of the present invention;

FIG. 2 is a flowchart showing the operation procedure of thetransmission apparatus 100 in the present system;

FIG. 3 is a flowchart showing the operation procedure of the receptionapparatus 200 in the present system;

FIG. 4 is a block diagram showing the construction of the transmissionapparatus 300 of the encrypted communication system of the secondembodiment of the present invention;

FIG. 5 is a flowchart showing the operation procedure of thetransmission apparatus 300;

FIG. 6 is a block diagram showing the construction of the transmissionapparatus 400 of the encrypted communication system of the thirdembodiment of the present invention; and

FIG. 7 is a flowchart showing the operation procedure of thetransmission apparatus 400.

DESCRIPTION OF THE PREFERRED EMBODIMENTS First Embodiment

The following is a description of the first embodiment of the presentinvention with reference to the drawings.

This first embodiment is secret key encrypted communication system thatuses the secret key transfer method of the present invention. It shouldbe noted that in the present specification, the expression "secret keytransfer" refers not to the transfer of the secret key itself, but tothe transfer of information that indicates one out of a plurality ofsecret keys that are distributed in advance.

Construction of the Encrypted Communication System

FIG. 1 is a block diagram showing the construction of the encryptedcommunication system of the first embodiment. This system is composed ofa transmission apparatus 100, a reception apparatus 200, and threetransfer paths 120-122 which connect these apparatuses. In the presentsystem, three secret keys K1, K2, and K3 are provided beforehand to thetransmission apparatus 100 and to the reception apparatus 200, so thatthe transmission apparatus 100 can freely select one of these secretkeys and use it to encrypt a digital production which it then transmitsto the reception apparatus 200.

The transmission apparatus 100 can be realized using a personal computerthat is capable of communication and a magnetic disc drive. In detail,the transmission apparatus 100 is composed of a digital production 101,a secret key storage unit 103, a secret key selection unit 104, threeencryption modules 102, 105, and 107, a message generation unit 106, andthree transmission units 110-112.

The transmission apparatus 100 has the final object of encrypting thestored digital production 101 and transferring it to the receptionapparatus 200. To do so, the transmission apparatus 100 transmits twokinds of cryptograms to the reception apparatus 200, namely, thecryptogram Ca for secretly informing the reception apparatus 200 of thesecret key used for encrypting the digital production and the cryptogramCm for informing the reception apparatus of the predetermined rule usedas the standard for specifying this secret key, in addition to theencrypted digital production Cd.

The digital production 101 can be realized by a hard disk drive, andstores data, such as a digitized text, audio, video, or a program.

The secret key storage unit 103 can be realized by a semiconductormemory which stores the three secret keys K1, K2, and K3.

The secret key selection unit 104 freely selects and reads one of thesecret keys K1 to K3, which are stored in the secret key storage unit103, as the secret key to be used to encrypt the digital production 101.The secret key selection unit 104 then sends this secret key to theencryption module 102 and the encryption module 105.

The encryption module 102 can be an integrated circuit (IC) thatperforms encryption based on a secret encryption algorithm E1. Theencryption module 102 reads a one-block unit of the digital data "Data"from the digital production 101, encrypts the data using the secret keyKs sent from the secret key selection unit 104 as the encryption key,and transfers the obtained cryptogram Cd(=E1(Data,Ks)) to thetransmission unit 110. The encryption module 102 repeats this processingfor all of the data in the digital production 101.

Note here that the notation "E(M,K)" shows a cryptogram obtained bysubjecting the plaintext M to the encryption algorithm E using theencryption key K. In the same way, the notation "D(C,K)" shows thedecrypted data obtained by subjecting the cryptogram C to the decryptionalgorithm D using the decryption key K.

The message generation unit 106 can be realized by a random numbergenerator that generates a random number and stores it as the message M.This message M is dummy data that is used as the carrier for informingthe reproduction apparatus 200 of the secret key used for the encryptionof the digital production 101. Accordingly, the content of this messageM is not especially important.

The encryption module 105 can be an integrated circuit (IC) thatperforms encryption based on a secret encryption algorithm E2. Theencryption module 105 reads the message M stored in the messagegeneration unit 106, encrypts it using the secret key Ks sent from thesecret key selection unit 104 as the encryption key, and transfers theobtained cryptogram Ca(=E2(M,Ks)) to the transmission unit 111.

The encryption module 107 can be an integrated circuit (IC) thatperforms encryption based on a secret encryption algorithm E3. Theencryption module 107 reads the message M stored in the messagegeneration unit 106, encrypts it using the message M itself as theencryption key, and transfers the obtained cryptogram Cm(=E3(M,M)) tothe transmission unit 112.

The cryptograms Ca and Cm described here are used to indirectly informthe reception apparatus 200 of which of the secret keys K1, K2, and K3has been selected by the secret key selection unit 104 as the secret keyKs.

The transmission units 110, 111, and 112 can each be composed of aparallel-to-series convertor and an amplifier, and are respectively usedto transmit the cryptograms Cd, Ca, and Cm to the reception apparatus200 via the transfer paths 120, 121, and 122.

The transfer paths 120-122 can be composed of communication cables or arecording medium.

The reception apparatus 200, meanwhile, is composed of seven decryptionmodules 201, 221, 222, 231, 232, 241, and 242, three secret key storageunits 220, 230, and 240, three judging units 223, 233, and 243, anoverall judging unit 203, a secret key selection unit 202, and threereception units 210-212.

This reproduction apparatus has a final object of decrypting and usingthe encrypted digital production Cd transmitted by the transmissionapparatus 100. Here, the secret key to be used in the decryption, whichis to say the secret key Ks which was selected by the secret keyselection unit 104 in the transmission apparatus 100, is specified fromthe two kinds of cryptogram Ca and Cm that are transmitted with theencrypted digital production Cd.

The reception units 210, 211, and 212 can each be composed of aseries-to-parallel convertor, and are respectively used to receive thethree kinds of cryptogram Cd, Ca, and Cm from the transfer paths 120,121, and 122.

The decryption module 201 can be composed of an IC for performingdecryption based on the secret decryption algorithm D1 that is theinverse transformation of the encryption algorithm E1 of the encryptionmodule 102 in the transmission apparatus 100. When given a secret key Ksby the secret key selection unit 202, the decryption module 201 uses thesecret key to decrypt the cryptogram Cd sent from the reception unit210, and by doing so restores the block data "Data" (=D1(Cd,Ks)) of theoriginal digital production.

It should be noted here that the decryption module 201 only repeats itsdecryption while the encrypted digital production Cd is being repeatedlysent from the transmission apparatus 100. When it has not been given asecret key Ks by the secret key selection unit 202, the decryptionmodule 201 judges that the specifying of the secret key has failed andso does not attempt to decrypt the encrypted digital production Cd.

The secret key storage unit 220, the decryption module 221, thedecryption module 222, and the judging unit 223 form one subcircuitwhose object is to judge whether the secret key used by the transmissionapparatus 100 is the secret key K1. In the same way, the secret keystorage unit 230, the decryption module 231, the decryption module 232,and the judging unit 233 form one subcircuit whose object is to judgewhether the secret key used by the transmission apparatus 100 is thesecret key K2. Also, the secret key storage unit 240, the decryptionmodule 241, the decryption module 242, and the judging unit 243 form onesubcircuit whose object is to judge whether the secret key used by thetransmission apparatus 100 is the secret key K3. These three subcircuitsare identical in construction and function, with the only differencebeing in the secret key stored in the secret key storage unit 220, inthe secret key storage unit 230, and in the secret key storage unit 240.Accordingly, only one of these subcircuits will be described.

The secret key storage unit 220 can be composed of semiconductor memorythat stores the secret key K1.

The decryption module 221 can be composed of an IC for performingdecryption based on the secret decryption algorithm D2 that is theinverse transformation of the encryption algorithm E2 of the encryptionmodule 105 in the transmission apparatus 100. This decryption module 221decrypts the cryptogram Ca sent from the reception unit 211 using thesecret key K1 read from the secret key storage unit 220 as thedecryption key, and sends the obtained decrypted data M1(=D2(Ca,K1)) tothe judging unit 223 and the decryption module 222.

The decryption module 222 can be composed of an IC for performingdecryption based on the secret decryption algorithm D3 that is theinverse transformation of the encryption algorithm E3 of the encryptionmodule 107 in the transmission apparatus 100. This decryption module 222decrypts the cryptogram Cm sent from the reception unit 212 using thedecrypted data M1 sent from the decryption module 221 as the decryptionkey, and sends the obtained decrypted data M11(=D3(Cm,M1)) to thejudging unit 223.

The judging unit 223 can be composed of a comparator, and judges whetherthe decrypted data M1 sent from the decryption module 221 matches thedecrypted data M11 sent from the decryption module 222. When the twosets of decrypted data match, the judging unit 223 sends the data "1" tothe overall judging unit 203, or otherwise sends the data "0" to theoverall judging unit 203.

Here, the case where the two sets of decrypted data match (M1=M11)corresponds to the case where the secret key Ks selected by thetransmission apparatus 100 is secret key K1. The reasoning behind thisis explained below.

Suppose that the secret key selection unit 104 in the transmissionapparatus 100 has selected secret key K1. In such case,

    Ks=K1                                                      Equation (1)

This means that the following relationships are established.

    Ca=E2(M,Ks)

     =E2(M,K1)                                                 Equation (2)

    Cm=E3(M,M)                                                 Equation (3)

As a result, the decrypted data M1 outputted by the decryption module221 of the reception apparatus 200 can be rearranged using the relationgiven in Equation (2) above.

    M1=D2(Ca,K1)

     =D2(E2(M,K1),K1)

     =M                                                        Equation (4)

On the other hand, the decrypted data M11 outputted by the decryptionmodule 222 of the reception apparatus 200 can be rearranged using therelations given in Equations (3) and (4) above.

    M11=D3(Cm,M1)

     =D3(E3(M,M),M)

     =M                                                        Equation (5)

From Equations (4) and (5) above:

    M1=M11                                                     Equation (6)

It should be noted here that the judging unit 233 in the secondsubcircuit similarly judges whether the decrypted data M2 sent from thedecryption module 231 matches the decrypted data M22 sent from thedecryption module 232. When the two sets of decrypted data match, thejudging unit 233 sends the decrypted data "1" to the overall judgingunit 203, or otherwise sends the data "0" to the overall judging unit203. The judging unit 243 in the third subcircuit similarly judgeswhether the decrypted data M3 sent from the decryption module 241matches the decrypted data M33 sent from the decryption module 242. Whenthe two sets of decrypted data match, the judging unit 243 sends thedecrypted data "1" to the overall judging unit 203, or otherwise sendsthe data "0" to the overall judging unit 203.

The overall judging unit 203 can be composed of a logical OR circuit anda selector, and, based on the data sent from the judging unit 223, thejudging unit 233, and the judging unit 243, sends a specification ("1","2", or "3") of the secret key (K1, K2, or K3) which should be used forthe decryption of the encrypted digital production Cd sent from thetransmission apparatus 100 to the secret key selection unit 202, orotherwise sends an indication ("0") that a decryption key cannot beidentified to the secret key selection unit 202.

More specifically, when the output of the judging unit 223 is the data"1" showing that the sets of decrypted data match, the overall judgingunit 203 sends an indication "1", showing that secret key K1 isselected, to the secret key selection unit 202, regardless of theoutputs of the judging unit 233 and the judging unit 243. When theoutput of the judging unit 223 is the data "0" and the output of thejudging unit 233 is the data "1", the overall judging unit 203 sends anindication "2", showing that secret key K2 is selected, to the secretkey selection unit 202. Similarly, when the output of the judging unit243 is the data "1", the overall judging unit 203 sends an indication"3", showing that secret key K3 is selected, to the secret key selectionunit 202. When the data outputted by each of the judging units 223, 233,and 243 is "0" showing that none of the data matches, the overalljudging unit 203 sends the indication "0" to the secret key selectionunit 202 showing that a decryption key could not be specified.

The secret key selection unit 202 can be composed of a selector, and,depending on whether the output of the overall judging unit 203 is "0","1", "2", or "3", does not output a secret key to the decryption module201, outputs the secret key K1 to the decryption module 201, outputs thesecret key K2 to the decryption module 201, or outputs the secret key K3to the decryption module 201. This secret key selection unit 202maintains its output while the blocks of the encrypted digitalproduction Cd are being repeatedly transmitted from the transmissionapparatus 100.

Operation of the Encrypted Communication System

The following is a description of the operation of the encryptedcommunication system whose construction is described above.

FIG. 2 is a flowchart for the operation of the transmission apparatus100. First, the secret key selection unit 104 randomly selects one ofthe three secret keys K1, K2, or K3 stored in the secret key storageunit 103 as the secret key Ks and sends it to the encryption module 102and the encryption module 105 (step S10).

The encryption module 102 uses the secret key Ks to encrypt the blockdata "Data" of the digital production 101, thereby generating thecryptogram Cd. The encryption module 102 then sends this to thetransmission unit 110 (step S11).

The message generation unit 106 generates one message M (step S12).

The encryption module 105 uses the same secret key Ks to encrypt themessage M sent from the message generation unit 106 to generate thecryptogram Ca. The encryption module 102 then sends this to thetransmission unit 111. Meanwhile, the encryption module 107 encrypts themessage M using the message M itself as the secret key, therebygenerating the cryptogram Cm which it sends to the transmission unit 112(step S13).

Finally, the transmission units 110, 111, and 112 transmit these threecryptograms Cd, Ca, and Cm to the reception apparatus 200 (step S14). Itshould be noted here that for the remaining blocks of the digitalproduction 101, only the transmission of the cryptogram Cd is repeated,so that the cryptograms Ca and Cm are only transmitted once.

FIG. 3 is a flowchart showing the operation of the reception apparatus200. First, the reception units 210, 211, and 212 receive the threecryptograms Cd, Ca, and Cm transmitted from the transmission apparatus100 via the three transfer paths 120, 121, and 122, and respectivelysend the received cryptogram Cd to the decryption module 201, thecryptogram Ca to the decryption module 221, the decryption module 231,and the decryption module 241, and the cryptogram Cm to the decryptionmodule 222, the decryption module 232, and the decryption module 242(Step S20).

In the first decrypting stage, the decryption module 221 decrypts thecryptogram Ca sent from the reception unit 211 using the secret key K1read from the secret key storage unit 220 to generate the decrypted dataM1 which it sends to the decryption module 222 and the judging unit 223.Simultaneously, the decryption module 231 decrypts the cryptogram Casent from the reception unit 211 using the secret key K2 read from thesecret key storage unit 230 to generate the decrypted data M2 which itsends to the decryption module 232 and the judging unit 233, and thedecryption module 241 decrypts the cryptogram Ca sent from the receptionunit 211 using the secret key K3 read from the secret key storage unit240 to generate the decrypted data M3 which it sends to the decryptionmodule 242 and the judging unit 243 (step S21).

In the second decrypting stage, the decryption module 222 decrypts thecryptogram Cm received from the reception unit 212 using the decrypteddata M1 generated by the decryption module 221 as the decryption key togenerate the decrypted data M11 which it sends to the judging unit 223,while in parallel the decryption module 232 decrypts the cryptogram Cmreceived from the reception unit 212 using the decrypted data M2generated by the decryption module 222 as the decryption key to generatethe decrypted data M22 which it sends to the judging unit 223, and thedecryption module 242 decrypts the cryptogram Cm received from thereception unit 212 using the decrypted data M3 generated by thedecryption module 242 as the decryption key to generate the decrypteddata M33 which it sends to the judging unit 243 (step S22).

The judging unit 223 judges whether the decrypted data M1 generated bythe decryption module 221 matches the decrypted data M11 generated bythe decryption module 222 and, when the data matches, outputs the data"1" to the overall judging unit 203, or otherwise outputs "0" to theoverall judging unit 203 (step S23). Concurrently, the judging unit 233judges whether the decrypted data M2 generated by the decryption module231 matches the decrypted data M22 generated by the decryption module232 and, when the data matches, outputs the data "1" to the overalljudging unit 203, or otherwise outputs "0" to the overall judging unit203 (step S24), and the judging unit 243 judges whether the decrypteddata M3 generated by the decryption module 241 matches the decrypteddata M33 generated by the decryption module 242 and, when the datamatches, outputs the data "1" to the overall judging unit 203, orotherwise outputs "0" to the overall judging unit 203 (step S25).

On receiving the data "1" indicating a match from the judging unit 223,the overall judging unit 203 gives this data priority over any data sentfrom the judging unit 233 or the judging unit 243, and so gives anindication "1" to the secret key selection unit 202 indicating aselection of the secret key K1. As a result, the decryption module 201uses the secret key K1 sent from the secret key selection unit 202 todecrypt the cryptogram Cd sent from the transmission unit 210 into theoriginal "Data" of the digital production (Step S26).

On the other hand, when the overall judging unit 203 has received thedata "0" from the judging unit 223 showing that there has not been amatch and the data "1" from the judging unit 233 indicating a match, theoverall judging unit 203 gives an indication "2" to the secret keyselection unit 202, indicating a selection of the secret key K2. As aresult, the decryption module 201 uses the secret key K2 sent from thesecret key selection unit 202 to decrypt the cryptogram Cd sent from thetransmission unit 210 into the original "Data" of the digital production(Step S27).

On the other hand, when the overall judging unit 203 has received thedata "0" from the judging unit 223 and the judging unit 233 showing thatthere has not been a match and the data "1" from the judging unit 243indicating a match, the overall judging unit 203 gives an indication "3"to the secret key selection unit 202, indicating a selection of thesecret key K3. As a result, the decryption module 201 uses the secretkey K3 sent from the secret key selection unit 202 to decrypt thecryptogram Cd sent from the transmission unit 210 into the original"Data" of the digital production (Step S28).

When the judging unit 223, the judging unit 233, and the judging unit243 send the data "0" showing that there has not been a match, theoverall judging unit 203 gives an indication "0" to the secret keyselection unit 202. As a result, the decryption module 201 does notdecrypt the cryptogram Cd sent from the reception unit 210 (Step S25).

As described above, the present invention has three secret keysdistributed to both the transmission apparatus 100 and the receptionapparatus 200, with the transmission apparatus 100 using one of thesecret keys to encrypt the digital production 101 before transmission tothe reception apparatus 200. The reception apparatus 200, meanwhile,will be able to decrypt the encrypted digital production 101 despite notreceiving a clear indication of which of the three secret keys has beenused as the secret key Ks for encryption. This is possible because thereception apparatus 200 is indirectly informed of which secret key hasbeen selected as the secret key Ks by the two cryptograms Ca and Cm.

The transfer of the secret key described above is possible due to thepredetermined rule of the cryptogram Cm, which is to say, cryptogram Cmis the result of encryption of the message M using the message M itselfas the encryption key, so that the reception apparatus 200 can use thiscryptogram Cm to specify the secret key Ks which was used by thetransmission apparatus 100.

With the secret key transfer method of the present embodiment describedabove, (i) cryptograms, not plaintexts, are transmitted on the transferpaths 121 and 122, (ii) a time-variant random number (message M) is usedfor such transfer, and (claimant function selection number i) the randomnumber (message M) is encrypted using the random number (message M)itself as the encryption key, so that there is no fixed relationshipbetween secret key Ks selected by the transmission apparatus 100 and thecryptograms Ca and Cm transmitted to the reception apparatus 200. As aresult, the system is secure from attack by a third party who interceptsthe communication on the transfer paths 120-122.

Second Embodiment

The following is an explanation of the second embodiment of the presentinvention, with reference to the drawings.

In the same way as the first embodiment, this second embodiment is asecret key encrypted communication system which uses three kinds ofcryptograms, Cd, Ca, and Cm, to transfer a secret key and a digitalproduction. The second embodiment differs from the first embodiment inthat the transmission apparatus is further equipped with a function forensuring that the reception apparatus will be able to specify thecorrect secret key Ks.

Construction of the Transmission Apparatus

FIG. 4 is a block diagram showing the construction of the transmissionapparatus 300 of the encrypted communication system of the secondembodiment of the present invention. In this second embodiment, thereception apparatus is identical to the reception apparatus 200described in the first embodiment.

In addition to the components 101-107 and 110-112 of the transmissionapparatus 100 in the first embodiment, the transmission apparatus 300includes a decryption module 320, a gate unit 321, a comparator 322, adistributor 323, and two selectors 324 and 325.

The transmission apparatus 300 of the present embodiment is the same asthe transmission apparatus 100 in that the secret key selection unit 104freely selects and reads one of the secret keys K1, K2, and K3 stored inthe secret key storage unit 103 as the secret key Ks used for encryptingthe digital production 101, before supplying the secret key Ks to theencryption module 102 and the encryption module 105, but differs in thatthe remaining two secret keys Kj (j=1,2) are successively read by thesecret key selection unit 104 are sent to the decryption module 320.

The decryption module 320 is the same as the decryption module 221 inthe first embodiment, which is to say an IC for performing decryptionaccording to the decryption algorithm D2 which is the inverse conversionof the encryption algorithm E2 of the encryption module 105. Every timeit receives a secret key Kj from the secret key selection unit 104, thedecryption module 320 decrypts the cryptogram Ca generated by theencryption module 105 using the secret key Kj and sends the obtaineddecrypted data Ma(=D2(Ca,Kj)) to the selectors 324 and 325.

The gate unit 321 can be composed of a latch circuit and stores both thecryptogram Ca generated by the encryption module 105 and the cryptogramCm generated by the encryption module 107 (this cryptogram Cm havingpassed through the distributor 323). Based on an indication from thecomparator 322, the gate unit 321 discards the stored cryptograms Ca andCm, or otherwise outputs them to the transmission units 111 and 112.

The selectors 324 and 325 are composed of two input-one outputmultiplexer circuits which select the cryptogram Ma from the decryptionmodule 320 after selecting the message M from the message generationunit 106.

The distributor 323 is composed of a multiplexer circuit that operatesto synchronize the selectors 324 and 325. When the selectors 324 and 325select the message M, the distributor 323 sends the cryptogram Cmoutputted by the encryption module 107 into the gate unit 321 and thefirst input port of the comparator 322. On the other hand, when theselectors 324 and 325 select the decrypted data Ma, the distributor 323sends the cryptogram Cmm outputted by the encryption module 107 into thesecond input port of the comparator 322.

The comparator 322 stores the cryptogram Cm inputted into the firstinput port and judges whether this cryptogram Cm matches any of thecryptograms Cmm successively inputted into the second input port.

When there is a match, the comparator 322 notifies the gate unit 321 andthe message generation unit 106 of the match to have the messagegeneration unit 106 generate a new message M and the gate unit 321discard the two cryptograms Ca and Cm which it is holding and to insteadhold new cryptograms Ca and Cm.

On the other hand, when none of the cryptograms Cmm inputted into thesecond input port matches the cryptogram Cm, the comparator 322 informsthe gate unit 321 that there has not been a match, thereby allowing thegate unit 321 to transfer the held cryptograms Ca and Cm to thetransmission units 111 and 112.

With the operation described above, the low probability that a mistakenjudgement is made by one of the three judging units 223, 233, and 243 ofthe reception apparatus 200, which is to say, the risk that erroneousdecryption will be performed using a decryption key Kj that differs fromthe secret key Ks selected by the secret key selection unit 104 of thetransmission apparatus 300, can be avoided. This could be caused whenthe two sets of decrypted data Mj(=D2(Ca,Kj)) and Mjj(=D3(Cm,Mj))inputted into one of the judging units 223-243 also match.

The above operation can prevent cases where, for example, even thoughthe transmission apparatus 300 has used the secret key K2 to encrypt thedigital production 101 and the message M, in the reception apparatus200, the decrypted data M1 generated by the decryption module 221 andthe decrypted data M11 generated by the decryption module 222 still endup matching.

The reason that there is a slight probability of the error describedabove occurring in the secret key transfer method of the firstembodiment is described below.

When, in the first embodiment, the transmission apparatus 100 selectsthe secret key K2, uses it to perform encryption, and sends the threecryptograms Cd, Ca, and Cm to the reception apparatus 200. In thereception apparatus 200, the decrypted data M1 generated by thedecryption module 221 and the decrypted data M11 generated by thedecryption module 222 are generated using a secret key K1 that differsfrom the secret key K2 used by the transmission apparatus 100, so thatit can be ensured that neither of the sets of decrypted data M1 and M11will match the original message M.

However, the above premise does not exclude the possibility that M1 willstill match M11, which is to say, the possibility that decrypted data M1and M11 match each other (M1=M11), despite differing from the originalmessage (M1≠M and M11≠M).

This is explained from a different angle below.

Suppose that the encryption modules 105 and 107 for transferring thesecret key each receive a plaintext of L bits and use an encryption keyof L bits to generate a cryptogram also of L bits.

Here, for the encryption module 105, the L bits of the encryption keyare fixed (according to a secret key such as K2), with a one-to-onemapping relation of L bits to L bits being established between theplaintext and the cryptogram. Accordingly, a complete decryption of allL bits of the cryptogram is possible.

However, the encryption performed by the encryption module 107 is of aspecial nature in that the plaintext and encryption key are related toone another, so that while the plaintext and the cryptogram may both beof L bits, changes in the L bits of the plaintext also result in changesin the L bits of the encryption key. Accordingly, it cannot be ensuredthat a one-to-one mapping relation of L bits to L bits is establishedbetween the plaintext and the cryptogram or that a complete decryptionof all L bits of the cryptogram is possible.

This means that the number of different cryptograms generated for anumber 2 to the power L types of plaintext will be less than 2 to thepower L, so that there is the possibility that there will be two or moreplaintexts which result in the same cryptogram.

For this reason, the reception apparatus 200 of the at first embodimentsuffers from the risk that the decrypted data Mj obtained by decryptingthe cryptogram Ca and the decrypted data Mjj obtained by decrypting thecryptogram Cm will match, even though these sets of decrypted data Mjand Mjj do not match the original message M, causing the problemsdescribed earlier.

In the present embodiment, the construction including the decryptionmodule 320, the comparator 322, and the gate unit 321 in thetransmission apparatus 300 prevents combinations of cryptograms Ca andCm that could cause the problems described above being transmitted tothe reception apparatus 200.

Operation of the Transmission Apparatus

FIG. 5 is a flowchart showing the operation procedure of thetransmission apparatus 300 in the encrypted communication system of thesecond embodiment.

In FIG. 5, steps S30-S33 and step S39 are the same as steps S10-S13 andS14 in the flowchart of FIG. 2 for the first embodiment. However, inS33, the cryptogram Ca generated by the encryption module 105 is held bythe gate unit 321 and the cryptogram generated by the encryption module107 is held by the gate unit 321 and the comparator 322 via thedistributor 323.

After completing the selection of the secret key Ks and the generationof the three cryptograms Cd, Ca, and Cm (steps S30-S33), a fixed loopprocess (steps S34-S38) is performed before transmitting the cryptogramsCd, Ca, and Cm. This loop process judges whether the current cryptogramsCa and Cm are suitable for transferring the secret key, with the newcryptograms Ca and Cm being generated when the current cryptograms Caand Cm are deemed unsuitable.

In more detail, the secret key selection unit 104 reads one secret keyKj which is not the secret key Ks from the secret key storage unit 103and sends it to the decryption module 320, with the following processes(steps S35-S37) being repeated (steps S34-S38).

First, the decryption module 320 uses the secret key Kj sent from thesecret key selection unit 104 as a decryption key to decrypt thecryptogram Ca generated in step S33 and sends the obtained decrypteddata Ma to the selectors 324 and 325 (step S35).

The selectors 324 and 325 select the received decrypted data Ma and letit pass through. As a result, the encryption module 107 encrypts thedecrypted data Ma using the decrypted data Ma itself as the decryptionkey, and outputs the resulting cryptogram Cmm (=E2(Ma,Ma)) to thedistributor 323. The distributor 323 then allows this cryptogram Cmm topass through to the second input port of the comparator 322 (step S36).

The comparator 322 judges whether the cryptogram Cm, which is alreadystored having been inputted via the first input port in step S33,matches the cryptogram Cmm inputted via the second input port (stepS37).

When the cryptograms do not match, the same process is repeated for thenext secret key Kj (steps S35-S37).

When none of the comparisons performed by the comparator 322 for all ofthe secret keys Kj aside from the secret key Ks selected in step S30results in a match, the cryptograms Ca and Cm generated in step S33 areconfirmed as suitable cryptograms, the loop process is ended, and thetransmission units 110, 111, and 112 transmit the cryptogram Cdgenerated by the encryption module 102 and the cryptograms Ca and Cmheld by the gate unit 321 to the reception apparatus 200 (step S39).

On the other hand, if the comparator 322 finds that the cryptogramsmatch in step S37, which corresponds to the case when the twocryptograms Ca and Cm generated in step S33 have been found to beunsuitable, the loop processing is canceled and the processing isrepeated starting from the generation of the message M (steps S32-S36).As a result, the comparator 322 has the gate unit 321 discard thepresent cryptograms Ca and Cm and has the message generation unit 106generate a new message M (Step S32). This message M is then used inencryption to generate new cryptograms Ca and Cm (step S33), and theprocessing to investigate whether these are suitable cryptograms isperformed (steps S34-S37)

By doing so, the transmission apparatus 300 is able to eliminate theproblems which can occur in a reception apparatus 200 that has receivedthe cryptograms Ca and Cm from the transmission apparatus 300 when thedecrypted data Mj obtained by decrypting the cryptogram Ca matches thedecrypted data Mjj obtained by decrypting the cryptogram Cm, even thoughthe reception apparatus 200 has used a secret key Kj that differs fromthe secret key Ks used by the transmission apparatus 300.

Third Embodiment

The following is an explanation of the third embodiment of the presentinvention, with reference to the drawings.

In the same way as the first embodiment, this third embodiment is asecret key encrypted communication system which uses three kinds ofcryptograms, Cd, Ca, and Cm, to transfer a secret key and a digitalproduction. The third embodiment resembles the second embodiment in thatthe transmission apparatus is further equipped with a function forensuring that an unsuitable combination of cryptograms Ca and Cm is nottransmitted to reception apparatus, but differs from the secondembodiment in the method used to achieve this.

Construction of the Transmission Apparatus

FIG. 6 is a block diagram showing the construction of the transmissionapparatus 400 of the encrypted communication system of the thirdembodiment of the present invention. In this third embodiment, thereception apparatus is identical to the reception apparatus 200described in the first embodiment.

In addition to the components 101-107 and 110-112 of the transmissionapparatus 100 in the first embodiment, the transmission apparatus 400includes two decryption modules 420 and 423, a gate unit 421, and acomparator 422.

The decryption module 420 and the gate unit 421 have the same functionsas the decryption module 320 and the gate unit 321 of the transmissionapparatus 300 of the second embodiment shown in FIG. 4. The decryptionmodule 420, the decryption module 423 and the comparator 422 also havethe same functions as the decryption module 221, the decryption module221 and the judging unit 223 of the reception apparatus 200 in the firstembodiment.

The decryption module 420 can be composed of an IC which performsdecryption according to a secret decryption algorithm D2 that is theinverse transformation of the encryption algorithm E2 of the encryptionmodule 105. This decryption module 420 repeatedly decodes the cryptogramCa generated by the encryption module 105 using each of the secret keysKj that are successively provided from the secret key storage unit 103as the decryption key, and transmits the obtained decrypted dataMa(=D2(Ca,Kj)) to the first input port of the comparator 422 and to thedecryption module 423.

The decryption module 423 can be composed of an IC which performsdecryption according to a secret decryption algorithm D3 that is theinverse transformation of the encryption algorithm E3 of the encryptionmodule 107. This decryption module 423 repeatedly decodes the cryptogramCm generated by the encryption module 107 using the decrypted data Masent from the decryption module 420 as the decryption key, and transmitsthe obtained decrypted data Mm(=D3(Cm,Ma)) to the second input port ofthe comparator 422.

The comparator 422 can be composed of a standard comparator, and judges,for each secret key Kj sent to the decryption module 420 by the secretkey selection unit 104, whether the decrypted data Mm sent from thedecryption module 423 matches the decrypted data Ma sent from thedecryption module 420.

On finding that the sets of decrypted data match, the comparator 422sends notification of the match to the message generation unit 106 andto the gate unit 421 to make the message generation unit 106 generate anew message M and to have the gate unit 421 discard the cryptograms Caand Cm which it is presently holding and instead hold the newlygenerated cryptograms Ca and Cm.

On the other hand, when the sets of decrypted data Ma and Mm do notmatch for any of the secret keys sent to the decryption module 420 bythe secret key selection unit 104, the comparator 422 sends notificationof such to the gate unit 421 to have the gate unit 421 transmit thepresently held cryptograms Ca and Cm to the transmission units 111 and112.

The gate unit 421 can be composed of a latch circuit, and is used tohold the cryptogram Ca generated by the encryption module 105 and thecryptogram Cm generated by the encryption module 107. The gate unit 421discards these cryptograms or outputs them to the transmission units 111and 112 in accordance with the notification received from the comparator422.

Operation of the Transmission Apparatus

FIG. 7 is a flowchart showing the operation procedure of thetransmission apparatus 400 in the encrypted communication system of thethird embodiment.

This flowchart is largely the same as the flowchart shown in FIG. 5 forthe second embodiment, although different evidence is used to judgewhether the cryptograms Ca and Cm are appropriate.

In the second embodiment, the decrypted data Ma obtained by thedecryption module 320 is encrypted using itself as the encryption key(step S36 in FIG. 5) and the two cryptograms Cm and Cmm are compared(step S37 in FIG. 5), while in the present embodiment, the decrypteddata Ma obtained by the decryption module 420 is used as the decryptionkey to decrypt the cryptogram Cm (step S46 in FIG. 7) and the two setsof decrypted data Ma and Mm are compared (step S47 in FIG. 7).

As in the second embodiment, the transmission apparatus 400 of the thirdembodiment eliminates the problems which can occur in a receptionapparatus 200 that has received the cryptograms Ca and Cm from thetransmission apparatus 400 when the decrypted data Mj obtained bydecrypting the cryptogram Ca matches the decrypted data Mjj obtained bydecrypting the cryptogram Cm, even though the reception apparatus 200has used a secret key Kj that differs from the secret key Ks used by thetransmission apparatus 400.

This transmission apparatus 400 of the present embodiment can be said tohave replaced the distributor 323 and the selectors 324 and 325 requiredby the transmission apparatus 300 of the second embodiment with onedecryption module 423.

The secret key management method of the present invention has beendescribed by means of the first to third embodiments given above,although it should be obvious that the technical scope of the inventionis not limited to these embodiments. Accordingly, a number ofmodifications are possible, such as those given below.

(1) The transfer medium for the secret key management method of thefirst to third embodiments was described as the cables of the transferpaths 120-122, although a recording medium such as a DVD (DigitalVideo/Versatile Disc) may be used. In such case, the transmissionapparatuses 100, 300, and 400 represent a DVD recording drive while thereception apparatus 200 represents a DVD reproduction drive.

In this secret key management technique, the secret key does not have tobe transferred in real time via the transfer path, so that it is alsopossible for a secret key to be transferred offline via a recordingmedium.

(2) In the first to third embodiments, the message M generated by themessage generation unit 106 is described as a random number that is onlyused as a carrier for transferring a secret key Ks. In the presentinvention, however, it is also possible for the message M to be aspecific message which the transmission apparatus wishes to send to thereception apparatus. This is possible since the present invention is atechnique for transferring a message and a secret key in a concealedstate from a transmission apparatus to a reception apparatus.

(3) In the first to third embodiments, three different encryptionalgorithms were used, although a single encryption algorithm may be usedinstead. It is also possible for the plurality of secret key storageunits and plurality of encryption modules or decryption modules to berealized using a circuit formed on a single semiconductor IC.

As one example, the three subcircuits of the reception apparatus 200shown in FIG. 1 may be integrated into a single subcircuit. Suchconstruction can be composed of a repetition control circuit for havingthe three secret keys K1, K2, and K3 successively read and the followingdecryption and judgement performed for each, a first decryption modulefor decrypting the cryptogram Ca according to decryption algorithm D2using the read secret key Ki as the decryption key to generate thedecrypted data Mi(=D2(Ca,Ki)), a second decryption module for decryptingthe cryptogram Cm according to decryption algorithm D3 using thedecrypted data Mi as the decryption key to generate the decrypted dataMii(=D3(Cm,Mi)), and a judging unit for judging whether these sets ofdecrypted data Mi and Mii match.

(4) The first to third embodiments describe an encrypted communicationsystem that is composed of one transmission apparatus and one receptionapparatus, although it is also possible for the system to be composed ofone transmission apparatus and a plurality of reception apparatuses.

(5) The first to third embodiments describe a case where the secret keyselection unit 104 freely selects the secret key, although the presentinvention is not limited to this selection method so that the secret keyselection unit 104 may select a secret key in accordance with priorityrankings that are established beforehand. Here, if a highly rankedsecret key is leaked or decoded, the secret key selection unit 104 canbe set to select a different key.

(6) In the first to third embodiments, three secret keys are distributedbeforehand to the transmission apparatus and the reception apparatus,with only one of these being selected and used in encryption, althoughthis does not need to be the case for the present invention. As oneexample, each apparatus may be provided with ten secret keys and acombination (such as the result of a logical XOR taken for each bitposition) of two secret keys selected out of the ten secret keys may beused as the secret key Ks, with all other combinations of two secretkeys selected from the ten secret keys being successively used in theabove embodiments as the secret key Kj.

Although the present invention has been fully described by way ofexamples with reference to accompanying drawings, it is to be noted thatvarious changes and modifications will be apparent to those skilled inthe art. Therefore, unless such changes and modifications depart fromthe scope of the present invention, they should be construed as beingincluded therein.

What is claimed is:
 1. A secret key transfer technique, used in anencrypted communication system composed of a transmission apparatus anda reception apparatus which perform encrypted communication using onesecret key selected out of a plurality of secret keys, whereby thetransmission apparatus informs the reception apparatus of the selectedsecret key,the transmission apparatus comprising:first secret keystoring means for storing the plurality of secret keys; secret keyselecting means for selecting one secret key out of the plurality ofsecret keys stored in the first secret key storing means; messagegenerating means for generating a message; first encrypting means forencrypting the message according to a first encryption algorithm usingthe secret key selected by the secret key selecting means as anencryption key to produce a first cryptogram; second encrypting meansfor encrypting the message according to a second encryption algorithmusing the message as an encryption key to produce a second cryptogram;and transferring means for transferring the first cryptogram and thesecond cryptogram to the reception apparatus, and the receptionapparatus comprising:second secret key storing means for storing theplurality of secret keys; reception means for receiving the firstcryptogram and the second cryptogram transferred from the transmissionapparatus; first decrypting means for decrypting the received firstcryptogram according to a first decryption algorithm using one secretkey selected from the plurality of secret keys as a decryption key toproduce a first set of decrypted data, wherein the first decryptionalgorithm is an inverse transformation of the first encryptionalgorithm; second decrypting means for decrypting the received secondcryptogram according to a second decryption algorithm using the firstset of decrypted data as a decryption key to produce a second set ofdecrypted data, wherein the second decryption algorithm is an inversetransformation of the second encryption algorithm; judging means forjudging whether the first set of decrypted data matches the second setof decrypted data and, when the sets of decrypted data match, forauthorizing that the secret key used by the first decryption means isthe secret key selected by the transmission apparatus; and repetitioncontrol means for having a decryption by the first decrypting means, adecryption by the second decrypting means, and a judgement and anauthorization by the judging means repeated for each of the plurality ofsecret keys in the second secret key storage means in order.
 2. Thesecret key transfer technique of claim 1,wherein the transmissionapparatus further comprises:cryptogram suitability confirming means forconfirming that the first cryptogram and the second cryptogram aresuitable cryptograms which ensure that the authorization of the judgingmeans in the reception apparatus is performed correctly, for allowingthe transferring means to transfer the first cryptogram and the secondcryptogram to the reception apparatus when the first cryptogram and thesecond cryptogram are confirmed as suitable, and for having the messagegenerating means generate a new message, the first encrypting meansrepeat encrypting and the second encrypting means repeat encrypting whenthe first cryptogram and the second cryptogram are not confirmed assuitable.
 3. The secret key transfer technique of claim 2,wherein thecryptogram suitability confirming means includes:third decrypting meansfor successively reading one secret key at a time, aside from the secretkey selected by the secret key selecting means, from the plurality ofsecret keys stored in the first secret key storing means and using theread secret key as a decryption key to decrypt the first cryptogramaccording to the first decryption algorithm to produce a third set ofdecrypted data; first encrypting control means for controlling thesecond encrypting means to generate a third cryptogram by encrypting thethird set of decrypted data according to the second encryption algorithmusing the third set of decrypted data as an encryption key; andcomparing means for comparing the second cryptogram with a thirdcryptogram generated by the third decrypting means based on each readsecret key, for judging that the first cryptogram and the secondcryptogram are suitable when none of the third cryptograms matches thesecond cryptogram, and for judging that the first cryptogram and thesecond cryptogram are not suitable when at least one of the thirdcryptograms matches the second cryptogram.
 4. The secret key transfertechnique of claim 3,wherein the transmission apparatus furthercomprises:transfer data storing means for storing transfer data that isto be transferred to the reception apparatus; and third encrypting meansfor encrypting the transfer data stored in the transfer data storingmeans according to a third encryption algorithm using the secret keyselected by the secret key selecting means as an encryption key toproduce a fourth cryptogram; wherein the transferring means transfersthe fourth cryptogram together with the first cryptogram and secondcryptogram to the reception apparatus, wherein the reception means ofthe reception apparatus receives the fourth cryptogram together with thefirst cryptogram and second cryptogram, and wherein the receptionapparatus further comprises:fourth decrypting means for decrypting thefourth cryptogram according to a third decryption algorithm using thesecret key authorized by the judging means to restore the transfer data,wherein the third decryption algorithm is an inverse transformation ofthe third encryption algorithm.
 5. The secret key transfer technique ofclaim 2,wherein the cryptogram suitability confirming meansincludes:third decrypting means for successively reading one secret keyat a time, aside from the secret key selected by the secret keyselecting means, from the plurality of secret keys stored in the firstsecret key storing means and using the read secret key as a decryptionkey to decrypt the first cryptogram according to the first decryptionalgorithm to produce a third set of decrypted data; fourth decryptingmeans for decrypting the second cryptogram according to the seconddecryption algorithm using the third set of decrypted data as adecryption key to produce a fourth set of decrypted data; and comparingmeans for comparing the third set of decrypted data and the fourth setof decrypted data, for judging that the first cryptogram and the secondcryptogram are suitable when the third set of decrypted data does notmatch the fourth set of decrypted data for any of the read secret keys,and for judging that the first cryptogram and the second cryptogram arenot suitable when the third set of decrypted data matches the fourth setof decrypted data for at least one of the read secret keys.
 6. Thesecret key transfer technique of claim 5,wherein the transmissionapparatus further comprises:transfer data storing means for storingtransfer data that is to be transferred to the reception apparatus; andthird encrypting means for encrypting the transfer data stored in thetransfer data storing means according to a third encryption algorithmusing the secret key selected by the secret key selecting means as anencryption key to produce a third cryptogram; wherein the transferringmeans transfers the third cryptogram together with the first cryptogramand second cryptogram to the reception apparatus, wherein the receptionmeans of the reception apparatus receives the third cryptogram togetherwith the first cryptogram and second cryptogram, and wherein thereception apparatus further comprises:fifth decrypting means fordecrypting the third cryptogram according to a fifth decryptionalgorithm using the secret key authorized by the judging means torestore the transfer data, wherein the fifth decryption algorithm is aninverse transformation of the third encryption algorithm.
 7. Atransmission apparatus for use in an encrypted communication systemcomposed of a transmission apparatus and a reception apparatus whichperform encrypted communication using one secret key selected out of aplurality of secret keys, with the transmission apparatus informing thereception apparatus of the selected secret key,the transmissionapparatus comprising:secret key storing means for storing the pluralityof secret keys; secret key selecting means for selecting one secret keyout of the plurality of secret keys that are stored in the secret keystoring means; message generating means for generating a message; firstencrypting means for encrypting the message according to a firstencryption algorithm using the secret key selected by the secret keyselecting means as an encryption key to produce a first cryptogram;second encrypting means for encrypting the message according to a secondencryption algorithm using the message as an encryption key to produce asecond cryptogram; and transferring means for transferring the firstcryptogram and the second cryptogram to the reception apparatus.
 8. Thetransmission apparatus of claim 7, wherein the transmission apparatusfurther comprises:cryptogram suitability confirming means for confirmingthat the first cryptogram and the second cryptogram are suitablecryptograms which ensure that an authorization in the receptionapparatus is performed correctly, for allowing the transferring means totransfer the first cryptogram and the second cryptogram to the receptionapparatus when the first cryptogram and the second cryptogram areconfirmed as suitable, and for having the message generating meansgenerate a new message, the first encrypting means repeat encrypting andthe second encrypting means repeat encrypting when the first cryptogramand the second cryptogram are not confirmed as suitable.
 9. Thetransmission apparatus of claim 8,wherein the cryptogram suitabilityconfirming means includes:first decrypting means for successivelyreading one secret key at a time, aside from the secret key selected bythe secret key selecting means, from the plurality of secret keys storedin the secret key storing means and using the read secret key as adecryption key to decrypt the first cryptogram according to a firstdecryption algorithm to produce a first set of decrypted data, whereinthe first decryption algorithm is an inverse transformation of the firstencryption algorithm; a first encrypting control means for controllingthe second encrypting means to generate a third cryptogram by encryptingthe third set of decrypted data according to the second encryptionalgorithm using the third set of decrypted data as an encryption key;and a comparing means for comparing the second cryptogram with a thirdcryptogram generated based on each read secret key, for judging that thefirst cryptogram and the second cryptogram are suitable when none of thethird cryptograms matches the second cryptogram, and for judging thatthe first cryptogram and the second cryptogram are not suitable when atleast one of the third cryptograms matches the second cryptogram. 10.The transmission apparatus of claim 9, further comprising:transfer datastoring means for storing transfer data that is to be transferred to thereception apparatus; and third encrypting means for encrypting thetransfer data stored in the transfer data storing means according to athird encryption algorithm using the secret key selected by the secretkey selecting means as an encryption key to produce a fourth cryptogram;wherein the transferring means transfers the fourth cryptogram togetherwith the first cryptogram and second cryptogram to the receptionapparatus.
 11. The transmission apparatus of claim 8,wherein thecryptogram suitability confirming means includes:first decrypting meansfor successively reading one secret key at a time, aside from the secretkey selected by the secret key selecting means, from the plurality ofsecret keys stored in the secret key storing means and using the readsecret key as a decryption key to decrypt the first cryptogram accordingto a first decryption algorithm to produce a first set of decrypteddata, wherein the first decryption algorithm is an inversetransformation of the first encryption algorithm; second decryptingmeans for decrypting the second cryptogram according to a seconddecryption algorithm using the first set of decrypted data as adecryption key to produce a second set of decrypted data, wherein thesecond decryption algorithm is an inverse transformation of the secondencryption algorithm; and comparing means for comparing the first set ofdecrypted data and the second set of decrypted data, for for judgingthat the first cryptogram and the second cryptogram are suitable whenthe first cryptogram does not match the second cryptogram for any of theread secret keys, and for judging that the first cryptogram and thesecond cryptogram are not suitable when the first cryptogram matches thesecond cryptogram for at least one of the read secret keys.
 12. Thetransmission apparatus of claim 11, further comprising:transfer datastoring means for storing transfer data that is to be transferred to thereception apparatus; and third encrypting means for encrypting thetransfer data stored in the transfer data storing means according to athird encryption algorithm using the secret key selected by the secretkey selecting means as an encryption key to produce a third cryptogram;wherein the transferring means transfers the third cryptogram togetherwith the first cryptogram and second cryptogram to the receptionapparatus.
 13. A reception apparatus for use in an encryptedcommunication system composed of a transmission apparatus and areception apparatus which perform encrypted communication using onesecret key selected out of a plurality of secret keys, the receptionapparatus receiving a first cryptogram and a second cryptogram from thetransmission apparatus to indicate the selected secret key,the receptionapparatus comprising:secret key storing means for storing the pluralityof secret keys; reception means for receiving the first cryptogram andthe second cryptogram transferred from the transmission apparatus; firstdecrypting means for decrypting the received first cryptogram accordingto a first decryption algorithm using one secret key selected from theplurality of secret keys as a decryption key to produce a first set ofdecrypted data, wherein the first decryption algorithm is an inversetransformation of a first encryption algorithm that was used to encryptthe first cryptogram; second decrypting means for decrypting thereceived second cryptogram according to a second decryption algorithmusing the first set of decrypted data as a decryption key to produce asecond set of decrypted data, wherein the second decryption algorithm isan inverse transformation of a second encryption algorithm that was usedto encrypt the second cryptogram; judging means for judging whether thefirst set of decrypted data matches the second set of decrypted dataand, when the sets of decrypted data match, for authorizing that thesecret key used by the first decryption means is a secret key selectedby the transmission apparatus; and repetition control means for having adecryption by the first decrypting means, a decryption by the seconddecrypting means, and a judging and an authorizing by the judging meansrepeated for each of the plurality of secret keys in the secret keystorage means in order.
 14. The reception apparatus of claim 13,whereinthe reception means receives a third cryptogram together with the firstcryptogram and second cryptogram, the third cryptogram having beengenerated by the transmission apparatus encrypting transfer dataaccording to a third encryption algorithm using the selected secret keyas an encryption key, the reception apparatus further comprising:thirddecrypting means for decrypting the third cryptogram according to athird decryption algorithm using the secret key authorized by thejudging means to restore the transfer data, wherein the third decryptionalgorithm is an inverse transformation of the third encryptionalgorithm.